Vulnerability Reporting

Rippling is first and foremost a security company. We understand that transparency is an important part of security, and we pride ourselves on working with the security community to identify and address vulnerabilities promptly.

The vulnerability must have a clear security impact.

The vulnerability must be disclosed only to Rippling.

The vulnerability must not be a duplicate with a previous report.

You must not exploit the vulnerability to cause an adverse effect on other users, including gaining access to or modifying data of other users without their permission. You may create your own Rippling accounts to test against, but please refrain from using automated scripts to create accounts.

Vulnerabilities on 3rd party services and vulnerabilities requiring physical access, social engineering, or brute force are generally out of scope for the bug bounty program.

Rippling reserves the sole right to determine the eligibility and severity of the vulnerability and its bounty reward.

Please send reports to security@rippling.com along with all details necessary to reproduce the issue. For particularly sensitive information, you may use the following GPG key: